splunk-connect-for-syslog
splunk-connect-for-syslog copied to clipboard
splunk
citrix_netscaler date format issue (SC4S v2.32.6)
As part of upgrade during regression testing of Citrix found data not being parsed correctly for August only.
Test Data (for each month) echo '<12> 01/13/2022:01:01:01 GMT netscaler ABC-D : SSLVPN HTTPREQUEST 1234567 : Context [email protected] - SessionId: 12345- example.com User username : Group(s) groupname : Vserver a1b2:c3d4:e5f6:a7b8:c9d0:e1f2:a3b4:c5d6:123 - 01/01/2001:01:01:01 GMT GET file/path.gif - - '> /dev/udp/127.0.0.1/9514 echo '<12> 02/13/2022:01:01:01 GMT netscaler ABC-D : SSLVPN HTTPREQUEST 1234567 : Context [email protected] - SessionId: 12345- example.com User username : Group(s) groupname : Vserver a1b2:c3d4:e5f6:a7b8:c9d0:e1f2:a3b4:c5d6:123 - 01/01/2001:01:01:01 GMT GET file/path.gif - - '> /dev/udp/127.0.0.1/9514 echo '<12> 03/13/2022:01:01:01 GMT netscaler ABC-D : SSLVPN HTTPREQUEST 1234567 : Context [email protected] - SessionId: 12345- example.com User username : Group(s) groupname : Vserver a1b2:c3d4:e5f6:a7b8:c9d0:e1f2:a3b4:c5d6:123 - 01/01/2001:01:01:01 GMT GET file/path.gif - - '> /dev/udp/127.0.0.1/9514 echo '<12> 04/13/2022:01:01:01 GMT netscaler ABC-D : SSLVPN HTTPREQUEST 1234567 : Context [email protected] - SessionId: 12345- example.com User username : Group(s) groupname : Vserver a1b2:c3d4:e5f6:a7b8:c9d0:e1f2:a3b4:c5d6:123 - 01/01/2001:01:01:01 GMT GET file/path.gif - - '> /dev/udp/127.0.0.1/9514 echo '<12> 05/13/2022:01:01:01 GMT netscaler ABC-D : SSLVPN HTTPREQUEST 1234567 : Context [email protected] - SessionId: 12345- example.com User username : Group(s) groupname : Vserver a1b2:c3d4:e5f6:a7b8:c9d0:e1f2:a3b4:c5d6:123 - 01/01/2001:01:01:01 GMT GET file/path.gif - - '> /dev/udp/127.0.0.1/9514 echo '<12> 06/13/2022:01:01:01 GMT netscaler ABC-D : SSLVPN HTTPREQUEST 1234567 : Context [email protected] - SessionId: 12345- example.com User username : Group(s) groupname : Vserver a1b2:c3d4:e5f6:a7b8:c9d0:e1f2:a3b4:c5d6:123 - 01/01/2001:01:01:01 GMT GET file/path.gif - - '> /dev/udp/127.0.0.1/9514 echo '<12> 07/13/2022:01:01:01 GMT netscaler ABC-D : SSLVPN HTTPREQUEST 1234567 : Context [email protected] - SessionId: 12345- example.com User username : Group(s) groupname : Vserver a1b2:c3d4:e5f6:a7b8:c9d0:e1f2:a3b4:c5d6:123 - 01/01/2001:01:01:01 GMT GET file/path.gif - - '> /dev/udp/127.0.0.1/9514 echo '<12> 08/13/2022:01:01:01 GMT netscaler ABC-D : SSLVPN HTTPREQUEST 1234567 : Context [email protected] - SessionId: 12345- example.com User username : Group(s) groupname : Vserver a1b2:c3d4:e5f6:a7b8:c9d0:e1f2:a3b4:c5d6:123 - 01/01/2001:01:01:01 GMT GET file/path.gif - - '> /dev/udp/127.0.0.1/9514 echo '<12> 09/13/2022:01:01:01 GMT netscaler ABC-D : SSLVPN HTTPREQUEST 1234567 : Context [email protected] - SessionId: 12345- example.com User username : Group(s) groupname : Vserver a1b2:c3d4:e5f6:a7b8:c9d0:e1f2:a3b4:c5d6:123 - 01/01/2001:01:01:01 GMT GET file/path.gif - - '> /dev/udp/127.0.0.1/9514 echo '<12> 10/13/2022:01:01:01 GMT netscaler ABC-D : SSLVPN HTTPREQUEST 1234567 : Context [email protected] - SessionId: 12345- example.com User username : Group(s) groupname : Vserver a1b2:c3d4:e5f6:a7b8:c9d0:e1f2:a3b4:c5d6:123 - 01/01/2001:01:01:01 GMT GET file/path.gif - - '> /dev/udp/127.0.0.1/9514 echo '<12> 11/13/2022:01:01:01 GMT netscaler ABC-D : SSLVPN HTTPREQUEST 1234567 : Context [email protected] - SessionId: 12345- example.com User username : Group(s) groupname : Vserver a1b2:c3d4:e5f6:a7b8:c9d0:e1f2:a3b4:c5d6:123 - 01/01/2001:01:01:01 GMT GET file/path.gif - - '> /dev/udp/127.0.0.1/9514 echo '<12> 12/13/2022:01:01:01 GMT netscaler ABC-D : SSLVPN HTTPREQUEST 1234567 : Context [email protected] - SessionId: 12345- example.com User username : Group(s) groupname : Vserver a1b2:c3d4:e5f6:a7b8:c9d0:e1f2:a3b4:c5d6:123 - 01/01/2001:01:01:01 GMT GET file/path.gif - - '> /dev/udp/127.0.0.1/9514
Result for all months except August correct i.e. converting mm/dd/yyyy to dd/mm/yyyy
Further tests confirm this is only happening for August
Correct: echo '<12> 07/05/2022:01:01:01 GMT netscaler ABC-D : SSLVPN HTTPREQUEST 1234567 : Context [email protected] - SessionId: 12345- example.com User username : Group(s) groupname : Vserver a1b2:c3d4:e5f6:a7b8:c9d0:e1f2:a3b4:c5d6:123 - 01/01/2001:01:01:01 GMT GET file/path.gif - - '> /dev/udp/127.0.0.1/9514
Incorrect: echo '<12> 08/05/2022:01:01:01 GMT netscaler ABC-D : SSLVPN HTTPREQUEST 1234567 : Context [email protected] - SessionId: 12345- example.com User username : Group(s) groupname : Vserver a1b2:c3d4:e5f6:a7b8:c9d0:e1f2:a3b4:c5d6:123 - 01/01/2001:01:01:01 GMT GET file/path.gif - - '> /dev/udp/127.0.0.1/9514
Correct: echo '<12> 09/05/2022:01:01:01 GMT netscaler ABC-D : SSLVPN HTTPREQUEST 1234567 : Context [email protected] - SessionId: 12345- example.com User username : Group(s) groupname : Vserver a1b2:c3d4:e5f6:a7b8:c9d0:e1f2:a3b4:c5d6:123 - 01/01/2001:01:01:01 GMT GET file/path.gif - - '> /dev/udp/127.0.0.1/9514
Today the behaviour is different (tested on 3 environments with the following data)
Correct: echo '<12> 07/05/2022:01:01:01 GMT netscaler ABC-D : SSLVPN HTTPREQUEST 1234567 : Context [email protected] - SessionId: 12345- example.com User username : Group(s) groupname : Vserver a1b2:c3d4:e5f6:a7b8:c9d0:e1f2:a3b4:c5d6:123 - 01/01/2001:01:01:01 GMT GET file/path.gif - - '> /dev/udp/xxxxx/514
Correct: echo '<12> 08/05/2022:01:01:01 GMT netscaler ABC-D : SSLVPN HTTPREQUEST 1234567 : Context [email protected] - SessionId: 12345- example.com User username : Group(s) groupname : Vserver a1b2:c3d4:e5f6:a7b8:c9d0:e1f2:a3b4:c5d6:123 - 01/01/2001:01:01:01 GMT GET file/path.gif - - '> /dev/udp/xxxxx/514
Incorrect: echo '<12> 09/05/2022:01:01:01 GMT netscaler ABC-D : SSLVPN HTTPREQUEST 1234567 : Context [email protected] - SessionId: 12345- example.com User username : Group(s) groupname : Vserver a1b2:c3d4:e5f6:a7b8:c9d0:e1f2:a3b4:c5d6:123 - 01/01/2001:01:01:01 GMT GET file/path.gif - - '> /dev/udp/xxxxx/514
This looks like some issue with your system, i tested the same in our lab and we couldn't reproduce it
.
As pointed above we could not replicate the issue , closing the ticket.